1

I am trying to close connections in command line. For instance, I am trying to close my SSH connection with this Nmap command:

$ sudo nmap -p 22 --scanflags RST <mySSHServerPublicIP>
$ sudo nmap -p 22 --scanflags FIN <mySSHServerPublicIP>

Once a TCP handshake is done (the SYN, SYN-ACK, ACK sequences is complete) and the connection is established, my understanding is that the Server, or client closes this connection gracefully by sending a FIN, or not-gracefully by sending a RST.

I also tried to spoof my server to close the connection on my client:

$ sudo nmap -p 23926 --scanflags FIN -S <mySSHServerPublicIP> <MyLocalIP> -Pn -n -e <interface>

Those commands have no effects, would anyone know why it doesn't close the connection ?

Improve this question
6
  • well, first you would have to actually hijack the TCP connection in order to inject a FIN or RST into it. if the device doesn't get the correct SYN and ACK values from your packet, it will ignore it. Most modern IP stacks are too sophisticated to predict the values that will allow the packet to be processed as part of the logical connection. Additionally, TCP requires both ends to acknowledge a FIN, so the client FINs, the server response with an ACK, and then a seperate FIN, so that both ends agree the connection is closed.
    – Frank Thomas
    Commented Feb 29, 2016 at 4:06
  • But I am expecting the see Close_Wait, after sending a FIN, but this doesn't happen. How comes TCPView can close a connection ? Does it hijack the connection ? Is this possible with tcpvcon or hping ?
    – Florian Bidabé
    Commented Feb 29, 2016 at 4:40
  • simply put, you are probably not going to be able to do what you want. Computer engineers and scientists spent decades developing a system that expressly forbids you from doing what you are trying to do.
    – Frank Thomas
    Commented Feb 29, 2016 at 6:02
  • Thank you for your answer, this is too broad tho, I hope someone will be able to come with a technical analysis. I'll make a network trace and compare what closing a connection with TCPView does, and what this nmap command does.
    – Florian Bidabé
    Commented Feb 29, 2016 at 20:44
  • By all means. I do recommend you read up on the TCP Three-way handshake for how connections are created. it will help you understand why a packet from outside the logical connection is ignored, and how it is identified (eg invalid SYN and ACK values). BTW tcpview just tells the OS to close the port. it doesn't send a packet.
    – Frank Thomas
    Commented Feb 29, 2016 at 21:13

1 Answer 1

Reset to default
0

Nmap isn't the right tool for this job.

In order to close the connection, I need to predict the TCP sequence number, increment it by one and reply a FIN or RST. It appears Scapy would allow me to do that... I will update this answer after some practical testing

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .